Organizations today face significant compliance challenges with regulations concerning IT security. Besides compliance worries, evolving IT vulnerabilities and threats continue to test corporate security policies and defenses. To maximize compliance efforts, many organizations are using automated compliance solutions that address the threat landscape, while simultaneously satisfying regulatory mandates. Learning the benefits a complete automated compliance solution can bring and determining which compliance problems need solving will help internal auditors provide recommendations that can help companies purchase the best automated management product that meets their ongoing compliance needs, while decreasing compliance costs and workload demands.
Keeping up with regulations — such as the U.S. Sarbanes-Oxley Act of 2002, the International Organization for Standardization's (ISO's) 27001 Standard, Japan's Personal Information Protection Act of 2003, and others — has become a significant burden for organizations around the world. Due to the increase in regulatory oversight during the last 10 years, developing and maintaining compliance has presented businesses with many challenges, such as:
- Increasing costs. According to AMR Research's Spending in an Age of Compliance report, companies spent approximately US $15.5 billion on compliance activities in 2005.
- Multiple regulations every year. A 2006 ControlPath Inc. study, Compliance Progress, found that organizations were required to comply with an average of 1.8 regulations per fiscal year. The same study found that 70 percent of respondents complied with different regulations individually, thus creating silos of compliance project teams.
- Lack of industry guidance. The Compliance Progress survey also found that the leading barriers to compliance were lack of education and information on compliance regulations.
Furthermore, an additional concern for many organizations has to do with the level of confidence provided by manual compliance approaches. Manual compliance efforts may not reflect the company's current security compliance posture accurately, because they only capture snapshots in time. As a result, many companies are starting to invest in automated compliance management solutions.
The Benefits of Compliance Automation
Automation of the compliance processes can provide numerous benefits to internal auditors and to senior management, including the centralization of audit information, the automation of controls testing, the ability to manage third-party risks more effectively and make risk management decisions that are based on real-time information, and an increased confidence in the company's security compliance posture. By centralizing audit information, an automated compliance approach also gives internal auditors easier access to information on key controls and more timely compliance status information. Thus, automating the compliance effort simplifies the work of internal auditors.
In addition, compliance automation software can help organizations automate the overall compliance process by providing a knowledgebase of compliance regulations and security standards. These products provide workflow capabilities to assist the organization in managing all aspects of compliance, including self-assessments, control analyses, corrective action planning and management, and controls testing.
For instance, in the finance and health-care industries, the use of third parties to perform critical business processes is widespread. In the United States, the Gramm-Leach-Bliley Act (GLBA) of 1999 and Health Insurance Portability and Accountability Act (HIPAA) of 1996 require that organizations understand and manage risks inherited through outsourcing relationships. To help manage these complex requirements, many organizations are turning to automated compliance software, which can facilitate internal audits by leveraging companywide compliance efforts from multiple regulations and standards.
Furthermore, automation can reduce the labor costs associated with manual compliance efforts. In large financial institutions, for example, it is not uncommon to have tens of thousands of third-party service providers, which need to be assessed annually and require more careful scrutiny from a security risk perspective. Because the cost of performing these assessments manually is significant, automating the compliance process can simplify the assessment process and reduce costs.
Compliance automation solutions also address the problem of assessing compliance to multiple regulations. Taking the user authentication security control described earlier as an example, let's assume that the organization needs to determine its compliance status with ISACA's Control Objectives for Information and related Technology (CobiT), the Payment Card Industry (PCI) Data Security Standard, and ISO 17799 for a group of 20 production servers. Rather than performing three different assessment efforts, the program sends a single compliance assessment questionnaire. For servers found to be in compliance, the program can document the existence of the control and capture the evidence for the audit. For servers that are not in compliance, the software automatically will create a remediation action item and track the problem until it is resolved, ensuring a closed-loop and more effective process. The application also will retain the current compliance status of the control throughout the product's lifecycle.
Regardless of its benefits, internal auditors and senior managers should keep in mind that compliance automation software is most appropriate for organizations that have mature manual compliance processes and that are impacted by multiple compliance regulations. For instance, if the organization lacks a defined compliance process, then the software can't automate it. The process has to be implemented first for it to be automated in the software.
Which Compliance Problems Need Solving?
To identify which compliance problems should be resolved first and focus time and money on the most appropriate solutions, auditors can conduct a risk assessment that determines which compliance problems are most critical, pose the greatest risk, and have the highest cost. For example, reducing the cost of Sarbanes-Oxley compliance is probably a high priority for many U.S. public companies, whereas organizations that must comply with multiple regulations may take a broader view by automating all of their compliance programs and processes. A unified compliance and risk management approach can yield confidence in compliance efforts, while significantly reducing costs.
One of the most challenging aspects of compliance is relating implemented security controls to each of the regulations. Table 1 depicts the scope of several compliance regulations and the approximate number of specific requirements on each for a publicly traded company that processes credit card data daily. According to this example, the company, which is subject to Sarbanes-Oxley and PCI compliance, uses ISO 27001 as the baseline for its information security controls and processes and CobiT as the basis for measuring compliance with Sarbanes-Oxley's Section 404. Based on the compliance scope of these regulations shown in Table 1, the company has implemented the following security control for its password change management policy:
Figure 1: Mapping a user authentication control to ISO 27001, CobiT, and PCI requirements
(Source: ControlPath Inc.)
According to Figure 1, the company has mapped each of the specific requirements found in ISO 27001, CobiT, and the PCI to its security control, which, in turn, needs to be applied to all servers and applications that process credit card data. The organization also will have to apply the control to servers and applications in their environment, particularly if they are moving toward ISO 27001 compliance and possible certification.
Number of Specific Requirements
HIPAA's Security Rule
42 administrative, physical, and technical
12 high-level requirements with approximately 212
The U.S. Federal Information Security
Management Act of 2002
17 areas of security requirements, each of which
references controls from the National Institute of
Standards and Technology's 800-53 Special
Four domains, 34 high-level objectives, and 318
GLBA and the Federal Financial Institutions
Examination Council's interagency guidelines
Seven high-level requirements, each of which
comprises numerous detailed requirements
Table 1: Different compliance regulations and their approximate number of specific requirements
Consider the impact of this example on an internal audit. Because a single security control is being mapped to multiple regulations and standards, a single test of this control can be used to document compliance with CobiT, PCI, and the ISO standard. Now, extrapolate the control mapping example to an environment with hundreds of servers and applications, multiple company locations and business units, and various third-party service providers. These applications, locations, and providers require the use of different controls, compliance assessments, and remediation mechanisms to close gaps. Consequently, this organization can have hundreds of detailed security controls addressing different areas or domains of information security, including disaster recovery, user authentication, and network security. What's more, these controls need to be mapped against all of the regulations. Because CobiT, the PCI, and the ISO standard have numerous specific requirements, the magnitude of the task is considerable.
As shown in the example above, managing compliance efforts manually may not be a sustainable approach to track activity in complex organizations given the compliance scope. A compliance and security control knowledgebase may be a more effective tool to manage compliance activities. With such a tool in place, the organization will have an easier time mapping security controls once they are selected to each additional regulation because the knowledgebase can map the parts of the organization being audited. The knowledgebase also can serve as the focal point for storing compliance evidence, which makes the audit process less complicated and costly. In addition, applying a workflow capability to the assessment and remediation process will eliminate much of the costly manual work associated with these activities.
Creating a central compliance knowledgebase offers another possibility — moving the organization away from "point-in-time" compliance activities to a continuous compliance process. Historically, the process of assessing risk has been periodic in nature. If a company hired a consultant to perform a yearly risk assessment, the output of that effort would provide a good measurement of what the organization's risks looked like at a single point in time each year. However, risks would continue to change between each assessment period as new elements or third-party vendors were added to the environment and as remediation efforts were completed.
To measure risks and compliance activities on an ongoing basis, companies may consider establishing a database of compliance knowledge, security controls, and organizational structure, including workflow capabilities, that can ease administrative burdens. For instance, as remediation actions are completed, real-time companywide risk measurements in the database can be lowered automatically to reflect this new reality. Similarly, as new risks are identified, risk measurements can be adjusted automatically to reflect this. As a result, the database can provide security, risk management, and compliance professionals with immediate, actionable information needed to improve the organization's risk posture.
The rapid growth in regulations impacting IT security activities has prompted many organizations to use inefficient manual efforts to achieve compliance. Considering compliance as a process, rather than as a one-time event, can transform compliance, making it a more productive, sustainable, and less costly activity. Using a central control and compliance database that is coupled with a compliance workflow capability will help automate compliance activities and eliminate inefficient manual efforts. Because internal auditors are key stakeholders in compliance programs, an automated compliance process greatly reduces the effort required to find audit information, thus enhancing the work of internal auditors.